3

After I've successfully injected my dll into my target process, say "target.exe", how can I get the base address of "target.exe"?

I've tried GetModuleHandle(0) and GetModuleHandle("target.exe") but it doesn't seem to be right and I'm not sure how to debug. I've tried to print it like this:

//retrive target's base address
DWORD EXEBaseAddr = (DWORD) GetModuleHandle((LPCWSTR)"target.exe");
std::stringstream sstr;
sstr << EXEBaseAddr;
std::string str = sstr.str();
String^ str3 = gcnew String(str.c_str());
baseAddressLBL->Text = str3;

I had to cast it at the end again because I'm using a Windows Form (not sure if that's what it's called) to print the address in my interface.

FluffyBeing
  • 448
  • 1
  • 11
  • 27
  • Possible duplicate question, answered [here](http://stackoverflow.com/questions/11564148/how-to-get-the-starting-base-address-of-a-process-in-c). – noseratio Sep 01 '13 at 00:37
  • That thread seems to be dealing with accessing the address externally. – FluffyBeing Sep 01 '13 at 03:36

2 Answers2

1

You are using the wide version of GetModuleHandle (i.e. GetModuleHandleW) thus you must pass it a valid wide string. Your mistake is that you are casting a non-wide string into a wide string which won't work. Use the following instead:

(DWORD)GetModuleHandleW(L"target.exe");

Or, the following, which accomplishes the same thing:

(DWORD)GetModuleHandleA("target.exe");
Natok
  • 131
  • 1
  • 4
  • I seem to get the same address each time 4194304.. is this supposed to happen? I was expecting the base address to be different each time I start the process. – FluffyBeing Sep 01 '13 at 03:41
  • 1
    Depends on the process; mainly if it has Address Space Load Randomization enabled (you can see that with Process Explorer). 4194304 (aka. 0x400000) is a common base address AFAIK. – Natok Sep 01 '13 at 03:49
0

GetModuleHandle(NULL); does get the current running process's id ;) so if ur code is running inside of the target.exe process you should be retrieving the process id using that API call, are you sure that you were able to succesfully inject the dll and jump the call to your code ?

if you are sure your code is working you could try to use GetCurrentProcessId(); function it retrieves the calling process's id :) more about it on the MSDN

http://msdn.microsoft.com/en-us/library/windows/desktop/ms683180(v=vs.85).aspx

Paze
  • 191
  • 1
  • 13